From Fedora Project Wiki
(initial version)
 
(Add more owners, make ready for wrangler.)
Line 30: Line 30:


* Name: kevin | Kevin Fenzi |   
* Name: kevin | Kevin Fenzi |   
* Email: < kevin@scrye.com >
* Email: <kevin@scrye.com>
* Name: dcantrell | David Cantrell |
* Email: <dcantrell@redhat.com>
* Name: t8m | Tomas Mraz |
* Email: <tmraz@redhat.com>
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
Line 144: Line 148:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeReadyForWrangler]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Revision as of 16:09, 23 June 2015


Standardized Passphrase Policy

Summary

Currently a number of places ask users to set passphrases/passwords. Some of them enforce some kind of rules for passphrases/passwords, others different rules. This change would create a common base policy for as many of these applications as possible, allowing for local users or products to override this base in cases they need to do so.

Owner

  • Name: kevin | Kevin Fenzi |
  • Email: <kevin@scrye.com>
  • Name: dcantrell | David Cantrell |
  • Email: <dcantrell@redhat.com>
  • Name: t8m | Tomas Mraz |
  • Email: <tmraz@redhat.com>
  • Release notes owner:

Current status

  • Targeted release: Fedora 23
  • Last updated: 2015-06-23
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

We should have a base passphrase/password policy for applications to use. This allows them all to be consistent and also provide our users with needed security. Additionally, we should make it possible for our users to adjust this base policy as they need depending on their use cases.

The applications involved in this change should be at least:

  • anaconda - sets initial root and user passphrases/passwords.
  • passwd - command line utility that changes passphrases/passwords.
  • initial-setup - sets up users if they were not setup in anaconda.
  • libpwquality - doesn't set passwords, but should be used in common for quality checking in a consistent manner.

We should provide a way for users or products to adjust this policy, and also a way to allow overriding it (if the policy allows).

Benefit to Fedora

Users will get a consistent passphrase/password policy, not different ones in multiple places. Users will be able to override that policy ideally in one place. Users will be more secure.

Scope

  • Proposal owners: Will work with owners of these components to try and come up with a generic policy for passphrases/passwords and how to implement it, then get FESCo to approve this policy and then implement it.
  • Other developers: Will need to adjust applications and config to use a common set of requirements that can be overriden in one place.


  • Release engineering: None
  • Policies and guidelines: Will need to be approved by FESCo and FPC (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Existing installs will keep their passwords/passphrases. New changes will use the existing generic policy.


How To Test

1. Set passphrase/password for root or user in anaconda. Confirm that the policy is followed.

2. Set passphrase/password in initial-setup/gnome-initial-setup and Confirm that the policy is followed.

3. Set passphrase/password with passwd and confirm the policy is followed.

4. Change the policy and confirm that all the above conform to the new policy.


User Experience

Users will see a consistent passphrase/password policy and will be able to adjust or override it.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

Keep the current inconsistent passphrase/password policy.

  • Contingency mechanism: Just don't land any changes.
  • Contingency deadline: Beta Freeze
  • Blocks release? No
  • Blocks product? No

Documentation

No documentation yet, but will be provided as part of the written policy FESCo approves.

Release Notes